private git repo example

csantanapr · csantanapr · commit 91c7fb489288 · 2023-08-22T00:37:47.000-04:00
Signed-off-by: Carlos Santana &lt;csantana23@gmail.com&gt;
diff --git a/argocd/iac/terraform/examples/eks/external-secrets/README.md b/argocd/iac/terraform/examples/eks/external-secrets/README.md
@@ -0,0 +1,24 @@
+# ArgoCD on Amazon EKS
+
+This example shows how to deploy Amazon EKS with addons configured via ArgoCD
+
+The example demonstrate how to use private git repository for workload apps
+
+Create a secret with name `github-ssh-key` and the content in plain text of git private ssh key
+
+Deploy EKS Cluster
+```shell
+terraform init
+terraform apply
+```
+
+Access Terraform output to configure `kubectl` and `argocd`
+```shell
+terraform output
+```
+
+Destroy EKS Cluster
+```shell
+cd hub
+./destroy.sh
+```
diff --git a/argocd/iac/terraform/examples/eks/external-secrets/bootstrap/addons.yaml b/argocd/iac/terraform/examples/eks/external-secrets/bootstrap/addons.yaml
@@ -0,0 +1,19 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: bootstrap-addons
+  namespace: 'argocd'
+spec:
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: 'argocd'
+  project: default
+  source:
+    path: bootstrap/control-plane/addons
+    repoURL: https://github.com/gitops-bridge-dev/gitops-bridge-argocd-control-plane-template
+    targetRevision: HEAD
+    directory:
+      recurse: true
+      exclude: exclude/*
+  syncPolicy:
+    automated: {}
diff --git a/argocd/iac/terraform/examples/eks/external-secrets/bootstrap/workloads.yaml b/argocd/iac/terraform/examples/eks/external-secrets/bootstrap/workloads.yaml
@@ -0,0 +1,19 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: bootstrap-workloads
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: default
+    server: https://kubernetes.default.svc
+  project: default
+  source:
+    path: envs/dev
+    repoURL: git@github.com:aws-samples/eks-blueprints-workloads.git
+    targetRevision: HEAD
+  syncPolicy:
+    syncOptions:
+    - CreateNamespace=true
diff --git a/argocd/iac/terraform/examples/eks/external-secrets/destroy.sh b/argocd/iac/terraform/examples/eks/external-secrets/destroy.sh
@@ -0,0 +1,16 @@
+#!/bin/bash
+
+set -x
+
+# Delete the Ingress/SVC before removing the addons
+TMPFILE=$(mktemp)
+terraform output -raw configure_kubectl > "$TMPFILE"
+source "$TMPFILE"
+
+kubectl delete svc -n argocd argo-cd-argocd-server
+
+terraform destroy -target="module.gitops_bridge_bootstrap" -auto-approve
+terraform destroy -target="module.eks_blueprints_addons" -auto-approve
+terraform destroy -target="module.eks" -auto-approve
+terraform destroy -target="module.vpc" -auto-approve
+terraform destroy -auto-approve
diff --git a/argocd/iac/terraform/examples/eks/external-secrets/main.tf b/argocd/iac/terraform/examples/eks/external-secrets/main.tf
@@ -0,0 +1,248 @@
+provider "aws" {
+  region = local.region
+}
+data "aws_caller_identity" "current" {}
+data "aws_availability_zones" "available" {}
+
+provider "helm" {
+  kubernetes {
+    host                   = module.eks.cluster_endpoint
+    cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data)
+
+    exec {
+      api_version = "client.authentication.k8s.io/v1beta1"
+      command     = "aws"
+      # This requires the awscli to be installed locally where Terraform is executed
+      args = ["eks", "get-token", "--cluster-name", module.eks.cluster_name, "--region", local.region]
+    }
+  }
+}
+
+provider "kubectl" {
+  host                   = module.eks.cluster_endpoint
+  cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data)
+  exec {
+    api_version = "client.authentication.k8s.io/v1beta1"
+    args        = ["eks", "get-token", "--cluster-name", module.eks.cluster_name, "--region", local.region]
+    command     = "aws"
+  }
+  load_config_file  = false
+  apply_retry_count = 15
+}
+
+provider "kubernetes" {
+  host                   = module.eks.cluster_endpoint
+  cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data)
+
+  exec {
+    api_version = "client.authentication.k8s.io/v1beta1"
+    command     = "aws"
+    # This requires the awscli to be installed locally where Terraform is executed
+    args = ["eks", "get-token", "--cluster-name", module.eks.cluster_name, "--region", local.region]
+  }
+}
+
+locals {
+  name            = "ex-${replace(basename(path.cwd), "_", "-")}"
+  environment     = "dev"
+  region          = "us-west-2"
+  cluster_version = "1.27"
+
+  aws_secret_manager_secret_name = "github-ssh-key"
+
+  aws_addons = {
+    enable_cert_manager = true
+    #enable_aws_efs_csi_driver                    = true
+    #enable_aws_fsx_csi_driver                    = true
+    #enable_aws_cloudwatch_metrics                = true
+    #enable_aws_privateca_issuer                  = true
+    #enable_cluster_autoscaler                    = true
+    #enable_external_dns                          = true
+    enable_external_secrets                      = true
+    #enable_aws_load_balancer_controller          = true
+    #enable_fargate_fluentbit                     = true
+    #enable_aws_for_fluentbit                     = true
+    #enable_aws_node_termination_handler          = true
+    #enable_karpenter                             = true
+    #enable_velero                                = true
+    #enable_aws_gateway_api_controller            = true
+    #enable_aws_ebs_csi_resources                 = true # generate gp2 and gp3 storage classes for ebs-csi
+    #enable_aws_secrets_store_csi_driver_provider = true
+  }
+  oss_addons = {
+    #enable_argo_rollouts                         = true
+    #enable_argo_workflows                        = true
+    #enable_cluster_proportional_autoscaler       = true
+    #enable_gatekeeper                            = true
+    #enable_gpu_operator                          = true
+    #enable_ingress_nginx                         = true
+    #enable_kyverno                               = true
+    #enable_kube_prometheus_stack                 = true
+    enable_metrics_server = true
+    #enable_prometheus_adapter                    = true
+    #enable_secrets_store_csi_driver              = true
+    #enable_vpa                                   = true
+    #enable_foo                                   = true # you can add any addon here, make sure to update the gitops repo with the corresponding application set
+  }
+  addons = merge(local.aws_addons, local.oss_addons, { kubernetes_version = local.cluster_version })
+
+  addons_metadata = merge(
+    module.eks_blueprints_addons.gitops_metadata,
+    {
+      aws_cluster_name = module.eks.cluster_name
+      aws_region       = local.region
+      aws_account_id   = data.aws_caller_identity.current.account_id
+      aws_vpc_id       = module.vpc.vpc_id
+    }
+  )
+
+  argocd_bootstrap_app_of_apps = {
+    addons    = file("${path.module}/bootstrap/addons.yaml")
+    workloads = file("${path.module}/bootstrap/workloads.yaml")
+  }
+
+  vpc_cidr = "10.0.0.0/16"
+  azs      = slice(data.aws_availability_zones.available.names, 0, 3)
+
+  tags = {
+    Blueprint  = local.name
+    GithubRepo = "github.com/csantanapr/terraform-gitops-bridge"
+  }
+}
+
+################################################################################
+# GitOps Bridge: Metadata
+################################################################################
+module "gitops_bridge_metadata" {
+  source = "../../../modules/gitops-bridge-metadata"
+
+  cluster_name = module.eks.cluster_name
+  environment  = local.environment
+  metadata     = local.addons_metadata
+  addons       = local.addons
+}
+
+################################################################################
+# GitOps Bridge: Bootstrap
+################################################################################
+module "gitops_bridge_bootstrap" {
+  source = "../../../modules/gitops-bridge-bootstrap"
+
+  argocd_cluster               = module.gitops_bridge_metadata.argocd
+  argocd_bootstrap_app_of_apps = local.argocd_bootstrap_app_of_apps
+}
+
+################################################################################
+# AWS Secret Manager
+################################################################################
+data "aws_secretsmanager_secret" "git_ssh_key" {
+  name = local.aws_secret_manager_secret_name
+}
+
+
+################################################################################
+# EKS Blueprints Addons
+################################################################################
+module "eks_blueprints_addons" {
+  source = "github.com/csantanapr/terraform-aws-eks-blueprints-addons?ref=gitops-bridge-v2"
+
+  cluster_name      = module.eks.cluster_name
+  cluster_endpoint  = module.eks.cluster_endpoint
+  cluster_version   = module.eks.cluster_version
+  oidc_provider_arn = module.eks.oidc_provider_arn
+
+  # Using GitOps Bridge
+  create_kubernetes_resources = false
+
+  # EKS Blueprints Addons
+  enable_cert_manager                 = try(local.aws_addons.enable_cert_manager, false)
+  enable_aws_efs_csi_driver           = try(local.aws_addons.enable_aws_efs_csi_driver, false)
+  enable_aws_fsx_csi_driver           = try(local.aws_addons.enable_aws_fsx_csi_driver, false)
+  enable_aws_cloudwatch_metrics       = try(local.aws_addons.enable_aws_cloudwatch_metrics, false)
+  enable_aws_privateca_issuer         = try(local.aws_addons.enable_aws_privateca_issuer, false)
+  enable_cluster_autoscaler           = try(local.aws_addons.enable_cluster_autoscaler, false)
+  enable_external_dns                 = try(local.aws_addons.enable_external_dns, false)
+  enable_external_secrets             = try(local.aws_addons.enable_external_secrets, false)
+  enable_aws_load_balancer_controller = try(local.aws_addons.enable_aws_load_balancer_controller, false)
+  enable_fargate_fluentbit            = try(local.aws_addons.enable_fargate_fluentbit, false)
+  enable_aws_for_fluentbit            = try(local.aws_addons.enable_aws_for_fluentbit, false)
+  enable_aws_node_termination_handler = try(local.aws_addons.enable_aws_node_termination_handler, false)
+  enable_karpenter                    = try(local.aws_addons.enable_karpenter, false)
+  enable_velero                       = try(local.aws_addons.enable_velero, false)
+  enable_aws_gateway_api_controller   = try(local.aws_addons.enable_aws_gateway_api_controller, false)
+
+  tags = local.tags
+}
+
+################################################################################
+# EKS Cluster
+################################################################################
+#tfsec:ignore:aws-eks-enable-control-plane-logging
+module "eks" {
+  source  = "terraform-aws-modules/eks/aws"
+  version = "~> 19.13"
+
+  cluster_name                   = local.name
+  cluster_version                = local.cluster_version
+  cluster_endpoint_public_access = true
+
+
+  vpc_id     = module.vpc.vpc_id
+  subnet_ids = module.vpc.private_subnets
+
+  eks_managed_node_groups = {
+    initial = {
+      instance_types = ["t3.medium"]
+
+      min_size     = 3
+      max_size     = 10
+      desired_size = 3
+    }
+  }
+  # EKS Addons
+  cluster_addons = {
+    vpc-cni = {
+      # Specify the VPC CNI addon should be deployed before compute to ensure
+      # the addon is configured before data plane compute resources are created
+      # See README for further details
+      before_compute = true
+      most_recent    = true # To ensure access to the latest settings provided
+      configuration_values = jsonencode({
+        env = {
+          # Reference docs https://docs.aws.amazon.com/eks/latest/userguide/cni-increase-ip-addresses.html
+          ENABLE_PREFIX_DELEGATION = "true"
+          WARM_PREFIX_TARGET       = "1"
+        }
+      })
+    }
+  }
+  tags = local.tags
+}
+
+################################################################################
+# Supporting Resources
+################################################################################
+module "vpc" {
+  source  = "terraform-aws-modules/vpc/aws"
+  version = "~> 5.0"
+
+  name = local.name
+  cidr = local.vpc_cidr
+
+  azs             = local.azs
+  private_subnets = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 4, k)]
+  public_subnets  = [for k, v in local.azs : cidrsubnet(local.vpc_cidr, 8, k + 48)]
+
+  enable_nat_gateway = true
+  single_nat_gateway = true
+
+  public_subnet_tags = {
+    "kubernetes.io/role/elb" = 1
+  }
+
+  private_subnet_tags = {
+    "kubernetes.io/role/internal-elb" = 1
+  }
+
+  tags = local.tags
+}
diff --git a/argocd/iac/terraform/examples/eks/external-secrets/outputs.tf b/argocd/iac/terraform/examples/eks/external-secrets/outputs.tf
@@ -0,0 +1,33 @@
+output "configure_kubectl" {
+  description = "Configure kubectl: make sure you're logged in with the correct AWS profile and run the following command to update your kubeconfig"
+  value       = <<-EOT
+    export KUBECONFIG="/tmp/${module.eks.cluster_name}"
+    aws eks --region ${local.region} update-kubeconfig --name ${module.eks.cluster_name}
+  EOT
+}
+
+output "configure_argocd" {
+  description = "Terminal Setup"
+  value       = <<-EOT
+    export KUBECONFIG="/tmp/${module.eks.cluster_name}"
+    aws eks --region ${local.region} update-kubeconfig --name ${module.eks.cluster_name}
+    export ARGOCD_OPTS="--port-forward --port-forward-namespace argocd --grpc-web"
+    kubectl config set-context --current --namespace argocd
+    argocd login --port-forward --username admin --password $(argocd admin initial-password | head -1)
+    echo "ArgoCD Username: admin"
+    echo "ArgoCD Password: $(kubectl get secrets argocd-initial-admin-secret -n argocd --template="{{index .data.password | base64decode}}")"
+    echo Port Forward: http://localhost:8080
+    kubectl port-forward -n argocd svc/argo-cd-argocd-server 8080:80
+    EOT
+}
+
+output "access_argocd" {
+  description = "ArgoCD Access"
+  value       = <<-EOT
+    export KUBECONFIG="/tmp/${module.eks.cluster_name}"
+    aws eks --region ${local.region} update-kubeconfig --name ${module.eks.cluster_name}
+    echo "ArgoCD URL: https://$(kubectl get svc -n argocd argo-cd-argocd-server -o jsonpath='{.status.loadBalancer.ingress[0].hostname}')"
+    echo "ArgoCD Username: admin"
+    echo "ArgoCD Password: $(kubectl get secrets argocd-initial-admin-secret -n argocd --template="{{index .data.password | base64decode}}")"
+    EOT
+}
diff --git a/argocd/iac/terraform/examples/eks/external-secrets/secrets/argoapp.yaml b/argocd/iac/terraform/examples/eks/external-secrets/secrets/argoapp.yaml
@@ -0,0 +1,14 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: test-private-repo
+  namespace: argocd
+spec:
+  destination:
+    namespace: default
+    server: https://kubernetes.default.svc
+  project: default
+  source:
+    path: envs/dev
+    repoURL: git@github.com:aws-samples/eks-blueprints-workloads.git
+    targetRevision: HEAD
diff --git a/argocd/iac/terraform/examples/eks/external-secrets/secrets/github.yaml b/argocd/iac/terraform/examples/eks/external-secrets/secrets/github.yaml
diff --git a/argocd/iac/terraform/examples/eks/external-secrets/variables.tf b/argocd/iac/terraform/examples/eks/external-secrets/variables.tf
diff --git a/argocd/iac/terraform/examples/eks/external-secrets/versions.tf b/argocd/iac/terraform/examples/eks/external-secrets/versions.tf
